OUTDATED

OUTDATED

I bought a Macbook last November because I want to have a machine solely for programming and works, Windows is mainly for video games purposes for me.
I’ve been using Mac for a couple of months, I think it got the best worlds from both Windows and Linux:

• A good GUI
• No need to worry about hardware driver issues (For me this is the main reason why I gave up installing Linux on my laptop)
• Unix based bash tools
• I’m more comfortable to mess around $PATH and install programs globally, compare to Windows
• single OS & Hardware environment makes me easier to Google my questions

Of course it’s not perfect, there aren’t many choices in terms of accessories, you pretty much need to stick with Apple branded stuffs and they are just expensive.
And regular mouses just don’t work well with Mac OSX.

Start local server

1
2

hexo server
hexo server -p (port)

It will listen to any local change and do hexo generate automatically behind the scene.
One issue with this automatically update approach is that deleted tags doesn’t remove from tag list, but this can be solved
by close server, then doing manual page generation (hexo generate)

Create new post

1

hexo new (post-name)

Create new page

1

hexo new page (page-name)

url is (blog-index)/(page-name)

Deploy changes to actual server

1
2

hexo generate
hexo deploy

Notes

• Built-in tags https://hexo.io/docs/tag-plugins.html

Deployment

• You can force hexo to regenerate all pages by deleting public folder and then do hexo generate, useful for issues like title is not updated in article list pages.
• For using git as deployment method, deleting .deploy_git folder and then do deployment will result a force update on target server/branch, might be useful if you don’t want to preserve older versions of articles and pages.

My company’s client is going to do penetration test on our product, I was assigned to configure Apache server, mainly enhance SSL Cipher settings.
Below are some notes on SSL configurations for Apache httpd.

Basics

Learn SSL Basics at http://www.wisegeek.com/what-is-an-ssl-cipher.htm

Basically we need to configure which SSL Protocols and Ciphers are allowed.

For SSLProtocol, SSLv2 and SSLv3 have been proven vulnerable, so go with TLSv1, TLSv1.1, TLSv1.2 whenever possible.

The main challenge is to setup SSL Ciphers, as there is a large amount of them and some of them have been proven vulnerable, so you need to disable them, but not all ciphers.
There is no best settings as it depends on what environment/browser you want to support, some older environment may only have vulnerable ciphers available.

Test Tools, Websites

COMODO SSL Analyzer

This tool will list available SSL protocols and ciphers, it also gives hint on any vulnerable protocol or weak cipher. Disable all the ciphers or protocols that marked
as weak/vulnerable.

QUALYS SSL LABS - SSL Server Test

This one gives more detailed result compare to the COMODO SSL Analyzer. It also gives a scaled score (scale from A to F I guess).
If your score is below A, it gives suggestions on how to improve.
This tool also do connection tests on major browsers so that you can check if all supported platform can establish connection to your website.
If you can get A without losing any targeted browser support, then you should be good.

QUALYS FREESCAN

(Register required)
This one will generate a much more detailed test report.
BUT be aware that you have limit number of scans for each account.
I registered an account and found out that it only support 10 reports by default, I do get an email instructing how to get more scan.

OpenSSL s_client

openssl s_client -cipher [cipher-names] -connect [host:port] (protocol flags)

Available Protocol flags:

1
2
3
4
5
6

-ssl2         - just use SSLv2
-ssl3         - just use SSLv3
-tls1_2       - just use TLSv1.2
-tls1_1       - just use TLSv1.1
-tls1         - just use TLSv1
-dtls1        - just use DTLSv1

For cipher names, go to https://www.openssl.org/docs/apps/ciphers.html for reference (Use short names)

Bluestack screenshot

We used this tool to check if all supported browser can establish connection to our website.

Config example

The setting should be placed under corresponding VirtualHost tag httpd.conf or ssl.conf, or some other customized .conf file.

1
2
3

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite All:!aNULL:!eNULL:!LOW:!RC4:!MD5"

SSLProtocol should be self-explanatory.
For SSLCipherSuite, check syntax at http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite,
check available suites at https://www.openssl.org/docs/apps/ciphers.html.

We can also do a whitelist approach like:

1

SSLCipherSuite HIGH:MEDEUM:!LOW

Here is a guideline you can follow:
SSL/TLS Strong Encryption: How-To

Common issues

Config does not get reflected even after httpd restart

This means that there are other VirtualHost tag or other config file overrided your configuration, you need to find it out.

Forward secrecy not enabled

Add this line to apache config:

SSLHonorCipherOrder on

Anonymous cipher suites are not disabled

Add !aNULL to SSLCipherSuite

Other Reference

The Basics of How to Work with Cipher Settings - Dr John’s Tech Talk
SSL and Penetration Test

Quick note on my thought with Hexo.

Pros:

• Static website (except comments) : I can just publish my blog by using github pages, or any free web hosting service
• Use GitHub flavored Markdown : I think markdown is good for blogging, especially that you can just surround all code snippets with ``` symbol without converting anything.
• Easy to include image : Each post can have a folder to include all assets, and then use Hexo tags to include them in the post.
• Extensible : Various plugins are available for Hexo.

Cons:

• No way to customize color scheme in themes : I’ve checked many Hexo themes and none of them provide options to adjust colors in _config.yml, looks like this is not encouraged.
• No easy way to unpublish articles : there is a publish command, but not unpublish. Right now I need to manually move artivles back to _draft folder to unpublish it.

More updates in future.

So, Logdown is apparently not in active development anymore, which means I need to move again.

I searched for alternatives for a while, one thing I want to have is the easiness of pasting codes.
Most blog services, such as Google blogger, doesn’t support pasting codes. You either need to convert your code to HTML escaped string or find some scripts to help you. Unfortunately I cannot find any service that makes this task easier.

Then I found Jekyll, and Ruhoh. They are “Static site generator”, which means you can configure and make posts on local side, then use these generators
to generate a static html/css/js site. I like this idea, because this approach gives me more control on my blog, and I don’t need any web hosting service, GitHub pages will be enough.

After a little bit research on static site generators, I found Hexo and I decided to give Hexo a try. It supports GitHub markdown, which I think will solve my concern on pasting codes.

So after 2 days try and error, here is my new blog, hopefully I won’t abandon it too quick this time.

Goal of this blog:

• Share my knowledge in programming or general computer stuffs.
• Served as a note/reference site for myself, in case I forgot something.
• Practice English writing

Yes, my English sucks. So be prepared for a lot of grammar and spelling errors in this blog.